The underlying vulnerability can be exploited on many computers running Windows Vista and Windows 7, and it also affects version 9 of the Microsoft browser, said HD Moore, CSO of security firm Rapid7 (and the chief architect of the open-source Metasploit tool kit used by penetration testers and hackers). He said a Metasploit module researchers already added to the framework works against the later operating systems when Oracle's Java Standard Edition 6 or Microsoft's Visual C runtime library is installed. The software add-ons make otherwise protected systems vulnerable by allowing attackers to bypass a malware defense known as ASLR, or address space layout randomization, that debuted in Windows Vista.

"What may be most worrying is that Windows Vista and 7 don't protect you," Moore told Ars. "This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS. The surprising thing about this is the fact they (Metasploit researchers) got to work across every one of these platforms."

The exploits circulating in the wild may be relying on other methods to override the more limited defenses included in the Service Pack 3 version of Windows XP. According to Eric Romang, the researcher who disclosed the IE attacks over the weekend, they require the victim to be running Adobe's Flash Player, possibly to carry out what's known as a "heap spray" (another technique for bypassing ASLR). The attacks are being carried out by the same gang that waged the recent stealth attacks against critical vulnerabilities in Java. The files used in the latest wave of attacks (cataloged here, here, here, and here) had little or no detection by the 34 most widely used antivirus programs, at least at the time Romang published his blog post. It wouldn't be surprising for detection to ramp up quickly in the next few hours.

Yunsun Wee, director, Microsoft Trustworthy Computing, said in a statement that Microsoft is aware of "targeted attacks potentially affecting some versions of Internet Explorer" and are investigating.

"We have confirmed that Internet Explorer 10 is not affected by this issue," she wrote. She went on to recommend customers install EMET 3.0. Short for Enhanced Mitigation Experience Toolkit, the Microsoft utility brings enhanced security protections to Windows, particularly earlier versions of the operating system. Later in the day, Microsoft expanded on those recommendations in an advisory posted to the company's website.

Windows users should avoid using IE until more is known about the vulnerability. As Ars has counseled before Java should be kept up-to-date or uninstalled altogether if users don't rely on it to enable other software to work. For users who are unable or unwilling to uninstall Java, updating to Java Standard Edition 7 appears to be another way to remain protected from this threat, although it immediately opens users up to a separate critical vulnerability in Java that Oracle has yet to publicly acknowledge.

Moore said the attacks are exploiting a use-after-free vulnerability in IE that allows attackers to create an image URL that references uninitialized memory. The in-the-wild attacks appear to be targeting only Windows XP systems. But with release of Metasploit code that works on a much wider array of platforms, it wouldn't be surprising to see attacks target those systems as well.

Even when people don't actively use IE, many utilities and third-party applications make use of IE code. That opens the possibility that people on public WiFi systems and other unsecured networks could inject malicious code into a victim's Web traffic in an attempt to exploit the vulnerability.

"Just keep in mind that even if you don't use IE for day-to-day browsing, a lot of tools you use do embed IE and those are vulnerable," Moore said.

Story updated to add details about separate critical vulnerability in Java. Later updated to add comment from Microsoft's Wee.

I'm not saying it's perfect, but so much of the anti-Microsoft sentiment on here seems to be informed by the sort of opinions we saw expressed on Amiga forums circa 2000. It is really boring and frankly not even fashionable anymore.

Author, you should have placed "Critical Zero-day flash bug in Internet Explorer" Omitting Flash from the title gives a whole different perspective ..

"they require the victim to be running Adobe's Flash Player"

Running plugins (NPAPI/ActiveX) in *any* browser, has full access to the entire operating system. That is why there is a new proposal for sandboxed plugins PPAPI (pepper).

So the wording of this subject is pretty much off. Should have stated Flash, since it is a plugin to IE.

The bug is in IE, not in Flash, and as demonstrated by the new Metasploit module, Flash is not required to make the exploit work. Flash is just one of several methods that can be used to bypass security defenses such as ASLR that Microsoft has added to Windows. The in-the-wild exploit that's being used to install Poison Ivy is making use of Flash to get around ASLR. Moore says Java SE 6 and the Visual C++ runtime library can be used to do much the same thing.

Not to worry, my Win7 box downloads security updates nearly every day and I read a lot about how MS took a lot of effort in building a well designed modular and secure system (win7), so the issues that you mentioned should not affect me.

Anyway all the nix variants also get affected by same issues so there is no alternative really.

Not to worry, my Win7 box downloads security updates nearly every day and I read a lot about how MS took a lot of effort in building a well designed modular and secure system (win7), so the issues that you mentioned should not affect me.

Not sure if serious...If the bad guys start targeting Windows 7 before MS releases a patch and you use IE, you could get owned. It wouldn't matter how diligent you are about installing patches because there wouldn't be one. That's the situation XP users are in and you're only safe by luck.

Quote:

Anyway all the nix variants also get affected by same issues so there is no alternative really.

Yeah? This exploit also exists in *nix? Would you mind showing us a proof of concept?

It's funny, as more and more people are on-line in some form all the time (smart phones, tablets, netbooks, game consoles, standard desktop computers, and even web connected appliances like televisions and a/c units) I'm reminded of an Outer Limits episode.

In this episode, people are always connected to a neural network. They can do thinks like access a digital library and have instant knowledge of the entire library in mere seconds. Only, one person, due to some abnormality can not be wired in. Eventually attacks start occurring on this network, and actual people are hacked. Leading up to the eventuality that the network must be disabled, and the one person who couldn't ever be connected must teach people how to access physical information like reading a book.

Seems like every time you turn around we're seeing more and more attacks along with more severe consequences in some cases. Some that seem to even be funded by wealthy nations in an emerging state of cyber-warfare. I wonder if at any point this is going to sour some people against the emerging digital world where everyone is on-line is some way all the time.

Anyway all the nix variants also get affected by same issues so there is no alternative really.

Yeah? This exploit also exists in *nix? Would you mind showing us a proof of concept?

sunshinerag is hopelessly wrong about 0-days and patch cycles, but any malicious process on a *nix box can (trivially) execute as the user it's running under. That means any browser weakness could run as the user, without requiring any holes in *nix-style security.

sunshinerag is hopelessly wrong about 0-days and patch cycles, but any malicious process on a *nix box can (trivially) execute as the user it's running under. That means any browser weakness could run as the user, without requiring any holes in *nix-style security.

I assumed that "the exploit" referred to the bug that allowed execution of arbitrary code within the browser's process, not the fact that such code runs with the user's permissions, in which case (s)he's full of shit.

This is why I've been pushing everybody I known over to Chrome over the past few years. At least Google actively rewards people who find serious bugs and then patches Chrome to fix them very quickly while Microsoft will issue their standard "no comment" statement and MAYBE get around to patching it a few months down the road (if at all). Oh, and then there's the fact that IE has been a web developer's nightmare since day one... there's really no good reason at all to use it as your primary web browser.

How exactly does an application having some kind of embedded use of IE get exploited?The article says it relies on a malicous webpage but if your app (like one I've worked on) merely generates HTML based on data it created and stored in a database and displays it in the app how exactly is that going to get exploited? I call shennanigans on that!

I know it's fun to hate Flash, but the article makes it sound like the root cause is:

Quote:

Moore said the attacks are exploiting a use-after-free vulnerability in IE that allows attackers to create an image URL that references uninitialized memory.

Not sure what relation the image exploit has to Flash...

You need flash to do a heap spray 1st to inject the executable code into memory, without that (or possibly using java) the exploit is useless.

Also the requirement to have Java or the MS VC runtime suggest the way the metasploit module is bypassing ASLR under Windows Vista/7 is by using dlls that are not ASLR compatable (in which case it must be an older version of the MSVC runtime).

sunshinerag is hopelessly wrong about 0-days and patch cycles, but any malicious process on a *nix box can (trivially) execute as the user it's running under. That means any browser weakness could run as the user, without requiring any holes in *nix-style security.

I assumed that "the exploit" referred to the bug that allowed execution of arbitrary code within the browser's process, not the fact that such code runs with the user's permissions, in which case (s)he's full of shit.

Sorry I don't see why "unix" has anything to do with what happens *inside* the browser process? *nix permissions and security features (even SE Linux extensions or AppArmor) don't help avoid such bugs.

Sorry I don't see why "unix" has anything to do with what happens *inside* the browser process? *nix permissions and security features (even SE Linux extensions or AppArmor) don't help avoid such bugs.

There's no inherent reason why the bug couldn't be on *nix, but *nix likely uses different image libraries and thus they wouldn't have the same vulnerabilities.

You should recognize that those were primarily humor. While some were funnier the others, all were silly.

Quote:

Leading up to the eventuality that the network must be disabled, and the one person who couldn't ever be connected must teach people how to access physical information like reading a book.

A good example of how utterly ridiculous that show was and why it should never used as an example for anything except silly low budget scifi .

Quote:

Seems like every time you turn around

This exact phrase in fact would be a text book example of a number of cognitive biases at work. Humans have a tendency to do things like ignore base rates, assign undue probability weight to things they remember (availability heuristic), and so forth, all of which has a tendency to exaggerate outliers. The reason this sort of stuff makes the news is that it's rare. You're making the mistake (amongst others) of recognizing and remembering an exploit event, while ignoring the entire remainder of the time without, and not appropriately weighing the positive against any negatives.

Quote:

along with more severe consequences in some cases.

This has no meaning.

Quote:

Some that seem to even be funded by wealthy nations in an emerging state of cyber-warfare.

So what?

Quote:

I wonder if at any point this is going to sour some people against the emerging digital world where everyone is on-line is some way all the time.

This is also pretty meaningless. "Some" (which without qualification can only mean >1) people out of billions will absolutely no doubt be "soured" against, well, nearly anything at all. Humans are diverse. Whether they've actually got any sound reasoning or not, and whether a significant percentage of the general population would agree is an entirely different question. And as far as the general population goes the answer is "No, not unless the negatives outweighed the positives and there were no counters." Which is so, so far from reality as to be practically inconceivable with existing technology.

Quote:

maybe it's silly.

It is. There's nothing wrong with being silly though as long as you recognize it and don't make decisions based on it.

People often complain about the lack of Windows reporting... here's some for you!

But seriously, if you are using Internet Explorer of any type you're doing it wrong.

In the corporate world, that's not always an option. Plenty of intranets and critical web apps that are IE-only. Stupid that things got that way, but at least the migration away from IE 6 was forced a few years ago.

Using IE10 x64 on Windows 8. Force ASLR + HEASLR should make it safe. Don't know what the nonsense is about not using IE, any browser can have a bug and get exploited, best thing to do is opt for platform protections that nullify this like Windows 8 with a x64 Browser.

He said a Metasploit module researchers already added to the framework works against the later operating systems when Oracle's Java Standard Edition 6 or Microsoft's Visual C runtime library is installed.

So, part of the problem lies in using Java 6...and there is a recommendation to upgrade to java 7.

Java 6 ships with an old runtime library, i.e. is compiled with an old compiler, that is not ASLR compatible which gives the attacker somewhere to jump to. Java 7 ships with an ASLR compatible runtime library. You can't really lose by upgrading to Java 7.

The Article wrote:

they require the victim to be running Adobe's Flash Player, possibly to carry out what's known as a "heap spray" (another technique for bypassing ASLR)

Well, the twist is that flash allows you to do the heap spray with executable code that you'd be able to jump to. You would most likely do a heap spray in any event, but that would be with non-executable memory and you'd still need to find somewhere to return to (such as the old runtime library of Java 6).

while Microsoft will issue their standard "no comment" statement and MAYBE get around to patching it a few months down the road (if at all).

Are you freaking serious right now? When's the last time Microsoft hasn't immediately pushed a patch for a publically known vulnerability? Especially when it involves IE. It's not even that rare of them anymore to push out an out-of-band update for a particularly nasty exploit. Take your head out out of your ass. They'll make a public statement about this vulnerability once they've replicated it themselves - just like they ALWAYS DO.

-----------------------------------------------

On an on-topic note regarding the article; you mention how the exploit can use HeapSpray to work its way around ASLR. What if you use EMET and have the Heap-Spray mitigation technique turned on for your applications? Does that provide any security what-so-ever in this regard? I don't even use IE nor do I have Java installed so it's a bit of a non-factor for me as far as this exploit goes but I'd like to know if those extra security techniques that EMET uses (beyond just DEP and ASLR) really make that much of a difference.

You should recognize that those were primarily humor. While some were funnier the others, all were silly.

Quote:

Leading up to the eventuality that the network must be disabled, and the one person who couldn't ever be connected must teach people how to access physical information like reading a book.

A good example of how utterly ridiculous that show was and why it should never used as an example for anything except silly low budget scifi .

Quote:

Seems like every time you turn around

This exact phrase in fact would be a text book example of a number of cognitive biases at work. Humans have a tendency to do things like ignore base rates, assign undue probability weight to things they remember (availability heuristic), and so forth, all of which has a tendency to exaggerate outliers. The reason this sort of stuff makes the news is that it's rare. You're making the mistake (amongst others) of recognizing and remembering an exploit event, while ignoring the entire remainder of the time without, and not appropriately weighing the positive against any negatives.

Quote:

along with more severe consequences in some cases.

This has no meaning.

Quote:

Some that seem to even be funded by wealthy nations in an emerging state of cyber-warfare.

So what?

Quote:

I wonder if at any point this is going to sour some people against the emerging digital world where everyone is on-line is some way all the time.

This is also pretty meaningless. "Some" (which without qualification can only mean >1) people out of billions will absolutely no doubt be "soured" against, well, nearly anything at all. Humans are diverse. Whether they've actually got any sound reasoning or not, and whether a significant percentage of the general population would agree is an entirely different question. And as far as the general population goes the answer is "No, not unless the negatives outweighed the positives and there were no counters." Which is so, so far from reality as to be practically inconceivable with existing technology.

Quote:

maybe it's silly.

It is. There's nothing wrong with being silly though as long as you recognize it and don't make decisions based on it.

I'm not saying it's perfect, but so much of the anti-Microsoft sentiment on here seems to be informed by the sort of opinions we saw expressed on Amiga forums circa 2000. It is really boring and frankly not even fashionable anymore.

I had always hoped someday Microsoft would simply drop Internet Explorer and stop the madness. But instead they just keep doing what they have always done but try to add layer after layer of added protection to fix what is broke.

Can this affect IE9 on Windows Phone 7.5 I wonder? EDIT: I guess not if this needs Flash/Java to successfully exploit.

smokedart wrote:

People often complain about the lack of Windows reporting... here's some for you!

But seriously, if you are using Internet Explorer of any type you're doing it wrong.

Or you are employeed in corporate America.

No wonder America's economy is taking a beating. America used to be the country investing and innovating and reaping the rewards. Corporate America seems to be the exact opposite of that. Status quo, don't rock the boat, all the way to the bottom. :/

Author, you should have placed "Critical Zero-day flash bug in Internet Explorer" Omitting Flash from the title gives a whole different perspective ..

"they require the victim to be running Adobe's Flash Player"

Running plugins (NPAPI/ActiveX) in *any* browser, has full access to the entire operating system. That is why there is a new proposal for sandboxed plugins PPAPI (pepper).

So the wording of this subject is pretty much off. Should have stated Flash, since it is a plugin to IE.

The bug is in IE, not in Flash, and as demonstrated by the new Metasploit module, Flash is not required to make the exploit work. Flash is just one of several methods that can be used to bypass security defenses such as ASLR that Microsoft has added to Windows. The in-the-wild exploit that's being used to install Poison Ivy is making use of Flash to get around ASLR. Moore says Java SE 6 and the Visual C++ runtime library can be used to do much the same thing.

I guess it's time for Adobe (and perhaps Oracle) to start using the new VTGUARD protections in Windows 8 to try and protect the system/user against spray attacks like this one. Would be nice if older versions of software were updated to handle this, but I would suppose that's probably not going to happen. Hopefully Microsoft can release a fix for this quickly, or at least provide reasonable mitigation steps in the meantime if not.